Escolar Documentos
Profissional Documentos
Cultura Documentos
governance, risk
and compliance
October 2011
Contents
Introduction.................................................................... 1
Understanding the problem.............................................. 2
Challenges...................................................................... 6
Employing a holistic approach........................................ 10
Data governance........................................................ 13
Data loss prevention controls...................................... 16
Supporting information security processes.................. 17
Using technology to support the DLP program............. 18
Ernst & Young insights and lessons learned.................... 20
Dont be a victim........................................................... 21
Introduction
Over the last few years, companies in every industry sector around the
globe have seen their sensitive internal data lost, stolen or leaked to
the outside world. A wide range of high-profile data loss incidents have
cost organizations millions of dollars in direct and indirect costs and
have resulted in tremendous damage to brands and reputations. Many
different types of incidents have occurred, including the sale of customer
account details to external parties and the loss of many laptops, USB
sticks, backup tapes and mobile devices, to name just a few. The vast
majority of these incidents resulted from the actions of internal users
and trusted third parties, and most have been unintentional.
As data is likely one of your organizations most valuable assets,
protecting it and keeping it out of the public domain is of paramount
importance. In order to accomplish this, a number of DLP controls must be
implemented, combining strategic, operational and tactical measures.
However, before DLP controls can be effectively implemented,
your organization must understand the answer to these three
fundamental questions:
1. What sensitive data do you hold?
2. Where does your sensitive data reside, both internally and with
third parties?
3. Where is your data going?
This paper explores these questions and the challenges organizations
face in relation to business drivers and regulatory obligations for
protecting this data. We will share our point of view and approach to
data loss prevention, along with insights and lessons learned from our
experiences working with some of the most advanced companies in the
world on data loss prevention practices.
Recent highly publicized events, such as the leaking of government and corporate data to
Wikileaks and the sale of customer banking records to tax authorities, have demonstrated
that it is more difficult than ever to protect your organizations internal data. Advances in
technology and productivity tools have made collaboration in the workplace easier, while
also creating new vectors for data to leave the organization. Likewise, business demands
to embrace new technologies such as social media and mobile devices have made it
impossible for most organizations to simply build and rely on a strong perimeter for
adequate protection.
Economic pressures on individuals and the monetization of data on the black market have
created an environment where people with access to information can convert data into
cash. Employees also find the lines between personal and business system use blurred
in the modern workplace, resulting in many situations where users unintentionally leak
internal data.
In the context of this document, data loss is the extraction and/or dissemination of sensitive
data of an organization that can intentionally or unintentionally put an organization at risk.
The term data leakage is also commonly used to refer to the same idea.
For a better understanding of the way to address IT Risk and developing an effective IT Risk management function, please refer to
Ernst & Youngs insights on governance, risk and compliance report, The evolving IT risk landscape, published in June 2011.
An overview of recent megatrends included in this paper shows that data protection will continue to be a significant challenge for
organizations. Four out of six megatrends discussed are linked to the risk category data, highlighting the fact that many of the
technology trends observed in the market result in increasing data risk.
Megatrend
Emerging
consumerization
The increased
importance
of business
continuity
Business/IT risks
24/7/365 availability of IT
systems to enable continuous
consumer support, operations,
e-commerce, and other functions
N/A
N/A
Data
Enhanced
persistence of
cybercrime
Increased
exposure to
internal threats
The accelerating
change agenda
Categories of IT Risk
Universe affected
Business benefit
Infrastructure
Applications and databases
Staffing
Operations
Physical environment
Company B:
Low-profile breach in a
regulated industry
Company C:
High-profile breach in a
highly regulated industry
$50
$50
$50
Lost employee
productivity
$20
$25
$30
Opportunity cost
$20
$50
$100
Regulatory fines
$0
$25
$60
Restitution
$0
$0
$30
$0
$5
$10
Other liabilities
$0
$0
$25
$90
$155
$305
Category
Description
Discovery, notification
and response
Source: The Forrester Wave: Information Security and Risk Consulting Services, Q3 2010, Forrester Research, Inc., 2 August 2010.
1 Calculating The Cost Of A Security Breach, Khalid Kark, Forrester Research Inc, April 10, 2007.
Several high-impact incidents have occurred recently that have resulted in high costs and extreme media attention for the
affected companies:
On its official weblog, a web technology firm published a message that it had uncovered a ploy to collect user
passwords, likely through phishing. This ploy affected the personal accounts of hundreds of users, including
among others, senior US Government officials, Chinese political activists, officials in several Asian countries
(predominantly South Korea), military personnel and journalists.
Public health
corporation
A public health corporation had to notify 1.7 million patients, staff, contractors, vendors and others about a
reported theft of electronic record files that contained their personal information, protected health information
or personally identifiable employee medical information. The information included Social Security numbers,
names, addresses and medical histories.
International
oil and gas
company
An international oil and gas company lost a laptop which contained personal information for 13,000 individuals
including names, Social Security numbers and addresses. The laptop was not encrypted, and the information
lost was for claimants against the company.
US public
agency
Personal details for 3.5 million teachers and other employees of a US public agency were accidentally published
on the Internet. Information released included names, Social Security numbers and birthdates. This data had
been posted on the internet for more than a year without the organization realizing it.
National
retail bank
Two thousand customer records from a national retail bank were stolen by employees prior to leaving and
joining a competitor firm. Records included customer bank account numbers, Social Security numbers and
other highly sensitive personal data such as tax returns and pay statements.
According to a blog post, an online storage provider explained that due to an authentication bug, all accounts
Online storage
were at risk of a data breach. As soon as the bug was discovered, as a precaution all logged in sessions were
provider
disconnected. The bug was active for almost four hours and took five minutes to fix.
So, what is new? Threats of data loss from internal users have always
been a risk. To sum up the changing landscape and increasing risk:
1. There are now many more ways data can leave an organization
(i.e., data loss vectors).
2. Storage is cheap. Many gigabytes of data can walk out of the
door on an employees keychain or smartphone or be sent
through online systems such as Dropbox.
3. Data is everywhere. Decentralized systems and work collaboration
tools make it much more difficult for organizations to track and
control information within the business.
4. Data has value in the real world, including from seemingly
legitimate sources.
5. The most recent generation of workers to join companies
has grown up with openness and information sharing as a
cultural norm.
Challenges
From our experience, one of the greatest challenges in managing data loss is that there
are so many reasons why data loss can occur, numerous data loss scenarios to account for
and many different controls that must be effective in order to manage the problem.
There is no simple solution or tool that can be implemented to address the variety of data
loss risks that organizations face. In order to address the pervasive issue that data loss
risks pose, a comprehensive solution that includes people, processes and technology
needs to be implemented.
Cause
Loss or theft of laptops and
mobile devices
Unauthorized transfer of data
to USB devices
Improper categorization of
sensitive data
Insufcient response to
intrusions
Customer
data
Your
data
Sales
Contractors
Loss of competitive
advantage
Loss of market share
Erosion of shareholder value
Fines and civil penalties
Personally
identiable
data
HR, Legal
Litigation/legal action
Finance
Transaction
data
Unintentional transmission
of sensitive data
Loss of customers
Customer
service
R&D
Effect
Regulatory nes/sanctions
Signicant cost and effort
to notify affected parties
and recover from the breach
People
Lack of awareness
Common unintentional
data loss themes
Lack of accountability
Process
Lack of data usage
policies/guidance
Lack of data
transmission procedures
Lack of data usage
monitoring
Technology
Lack of flexibility in
remote connectivity
No content-aware
DLP tools
Lack of secure
communication platforms
People
Process
Technology
E
mployees feel that there is no risk involved in
breaking the rules (i.e., no one is watching
so I will not be caught).
Data category
Case description
Customer data
Exploitation of weaknesses in a
databases development environment
Transaction data
Corporate data
Employee discontent
Corporate data
Insider trading
Corporate data
10
Data at rest
Data in use
Databases or
repositories
Workstations
Laptops
Data in
motion
Firewall
Workstations
Internet
Data at rest
11
Data governance
Policies
and standards
Identification
Risk assessment
Classification
Architecture
Quality
Function areas
Structured data
Data in motion
Data in use
Data at rest
Perimeter security
EndPoint security
Network monitoring
Access/usage monitoring
Host encryption
Data anonymization
Network/internet storage
Data redaction
Remote access
Export/save control
Unstructured data
12
Identity/access management
Security information/
event management
Configuration management
Vulnerability management
Incident response
Physical security
Asset management
Data privacy/
document protection
Third-party management
and assurance
Business continuity
Disaster recovery
Regulatory
compliance management
Change management/SDLC
Data governance
Future direction
Going through this exercise will help you to prioritize DLP activities
so that the highest risk data is protected first.
Corporate data
Transaction data
Customer data
Price/cost lists
Bank payments
Customer list
Full name
B2B orders
Spending habits
Birthday, birthplace
New designs
Vendor data
Contact details
Biometric data
Source code
Sales volumes
User preferences
Genetic information
Formulas
Purchase power
Process advantages
Revenue potential
Payment status
Pending patents
Sales projections
Contact history
Intellectual property
Discount ratios
Account balances
Unreleased merger/
acquisition plans and
financial reports
Purchase/transaction
history
Payment/contract terms
Legal documents
Employee personal data
13
14
T
ransmission of sensitive data through email and the internet
Future direction
S
torage of sensitive data on mobile devices, laptops, workstations
and non-company owned equipment
S
torage of sensitive data on company file and document
repositories (where it is acceptable and not acceptable to
store sensitive data)
A
ppropriate use of remote access technologies
U
se of technology not provided by the organization (such as
work use of personal email accounts, portable devices, storage
and media)
U
ser responsibilities for classifying data at the point of creation
and ensuring that sensitive data users create is included in relevant
data/information inventories
In addition, DLP principles should be used to drive security
requirements in system development and change projects.
Example principles include:
S
ensitive data may not be transmitted through public networks
without adequate encryption
T
hird-party due diligence/information security assurance
O
nly company-approved technologies may be used to exchange
data with third parties
A
ccess to sensitive data must be logged and monitored
where appropriate
A
ccess to sensitive data stored on information systems must
be restricted to those who require it to perform their job
responsibilities
S
ensitive data may not be shared with third parties without
sufficient contracts in place specifying information security
requirements, their obligations to protect company data, their
responsibilities for monitoring their own third parties and the
companys right to audit and monitor
S
ensitive data must be anonymized before being stored in
less controlled environments, such as test and development
environments
S
ensitive data must be adequately protected through all
stages of the data lifecycle and the systems development
lifecycle (SDLC)
15
Data in motion
Focus area
Supporting technologies
Perimeter security
Network monitoring
DLP technology
Data collection and exchange Ensure that data exchange with third parties only occurs
through secure means
with third parties
Remote access
Focus area
Supporting technologies
Access/usage monitoring
Data sanitation
Data redaction
Export/save control
Data in use
16
Data at rest
Focus area
Endpoint security
Restrict access to local admin functions such as the ability Operating system workstation restrictions,
to install software and modify security settings. Prevent
security software (e.g., A/V, personal
malware, viruses, spyware, etc
firewall, etc.), endpoint DLP technology
Host encryption
Network/intranet storage
Supporting technologies
17
Purpose
Endpoint-based tools
Network-based
monitoring tools
Network-based
scanning tools
Perimeter DLP
prevent tools
18
Monitor phase
high
Risk
reduction
Prevent/protect phase
Network
monitoring
(data in motion)
Endpoint
monitoring
and discovery
(data at rest)
Network
prevent
Endpoint
prevent
(data in use)
low
low
Complexity
high
These include:
D
ifficulty scaling to support many languages
L
imited effectiveness in identifying sensitive intellectual property
L
imited built-in support for standard data formats outside of the
United States
L
imited deployment capabilities in different countries based on
local privacy laws
These are among the reasons that effective people and processes
are as important as ever in managing data loss risks. Users must
be aware of the risks, DLP roles and responsibilities must be clearly
defined and processes must be in place to properly configure DLP
tools and to act efficiently on the output.
19
Lessons learned
From our involvement helping many clients with their DLP programs,
we have identified the following practices that can help to make a
DLP program successful:
Determine goals and objectives for your DLP program up front
As with all change initiatives, DLP programs should help achieve
strategic business objectives and provide benefits in return for
the costs incurred. Clear goals and objectives based on the company
strategy and mission should be determined up front as a baseline
for your program. This will ensure that the program is focused on
protecting the data that is most important to the business.
Address all aspects of people, process and technology
As we have illustrated, a defense-in-depth approach must be
taken, with clear roles and responsibilities for individuals, fitfor-purpose tools to identify and prevent data loss and effective
processes to research and respond to incidents.
Establish ample executive support, understanding and
participation Company-wide support and involvement from
various business and operating units will create more user
acceptance of the transition toward a more secure environment
and will help to ensure that business input is provided at key stages.
Defining sensitive data is a fundamental requirement
Implementing DLP technology and controls universally across an
organization has an adverse and costly impact on the business.
By defining sensitive data up front and aligning the program to
protect their most sensitive data, organizations can ensure that
resources are spent managing the highest risks.
Focus on a defense-in-depth approach, not just complying
with legislation A DLP implementation should not be based
solely on solving your compliance issues but should focus on the
entire risk spectrum that affects your data.
20
Poor information
classification definition
and user awareness
No authoritative
source exists for
share ownership
Access approval
performed without
proper context
Limited or non-existent
entitlement review
process
Top practical tips to help optimize your data loss prevention program
1. Identify and classify your data. A well-developed, granular
data classification scheme will enable your company to design
and implement the proper controls for different types of data.
A data inventory, linking the data classification scheme to
specific data held within the IT infrastructure and with external
parties, will help appropriately scope your DLP program.
Dont be a victim
The ever-evolving risk landscape is becoming more
challenging to manage. With data loss, prevention is
always better than recovering after a breach. Todays
common threats are accelerating by technological
evolution. Data loss through social media, consumerization,
cybercrime and internal threats represent increasing
business risks. An organization that knows which data
21
+31 88 40 71271
paul.van.kessel@nl.ey.com
jay.layman@ey.com
jblackmore@uk.ey.com
iain.burnet@au.ey.com
harada-shh@shinnihon.or.jp
EMEIA
Jonathan Blackmore
Asia-Pacific
Iain Burnet
Japan
Shohei Harada
kallan@uk.ey.com
jose.granado@ey.com
kallan@uk.ey.com
mike.trovato@au.ey.com
nagao-shnchr@shinnihon.or.jp
EMEIA
Ken Allan
Asia-Pacific
Mike Trovato
Japan
Shinichiro Nagao